Re: [patch] Syscall auditing - move "name=" field to the end
On Thursday 17 March 2005 12:30 pm, Chris Wright wrote:
* Kris Wilson (krisw(a)us.ibm.com) wrote:
> > I don't think this patch is enough -- either we need to escape the text
> > completely or just dump it as hex instead of a string. One option would
> > be to dump it in quotes as a string if all chars in the string are in
> > the range 0x20-0x7e, and as hex otherwise. That slightly complicates
> > the parsing, but not by much, and still gives you plain text in the
> > majority of cases while protecting against abuse.
>
> Dumping in hex instead of string would have a testing impact. Using a
> string in quotes would be a
> smaller hit, but there still would be additional impact to test the "hex
> otherwise" case.
We need to do something, as it is the data can't be trusted. It's a way
for user to possibly inject false audit messages. And most characters
are valid in pathnames.
thanks,
-chris
Let's rewrite Linux. J/K. But all jokes aside, can't we just log out the
length of the name= field with the rest of the record, ie: name_len=7
name=linux\n\0?
-tim